Task #1347
closed
Modify the gcube-system wiki configuration to give write access to the bluebridge group
100%
Description
People that is assigned to the bluebridge group in the ldap-redmine ldap server need to have write access to the gcube-system wiki.
Files
Related issues
Updated by Andrea Dell'Amico over 9 years ago
- Blocked by Task #1346: Create a BlueBridge group on the ldap-redmine ldap server added
Updated by Andrea Dell'Amico over 9 years ago
Now that we have groups on the new ldap server we can exploit them for the wiki permissions too?
Updated by Luca Frosini over 9 years ago
Thank to the VRE user export functionality is now possible to automatically retrieve the users which can access and edit the WIKIs.
As discussed with @pasquale.pagano@isti.cnr.it
- the gcube wiki (https://wiki.gcube-system.org/) must be writeable only from gCube VRE members (identificated by gCube ldap group).
- the d4science wiki (https://wiki.d4science.org/) must be writeable only from BlueBridgeProject VRE members (identificated by BlueBridgeProject ldap group).
The authentication have to be configured only from the new LDAP server. The old LDAP server authetication have to be removed.
The plan is to dissmiss old LDAP server asap. moreover we have to dissmiss the use of manage. To do this we have to think how to recreate the ssh key functionality. To addess this I think we can create a custom field in liferay and @massimiliano.assante@isti.cnr.it can modify the LDAP export script to export also that field. @massimiliano.assante@isti.cnr.it can you confirm that this is feasible? If yes I'll open a ticket for that.
Updated by Luca Frosini over 9 years ago
Sorry I forget that also the gCube VRE members (identificated by gCube ldap group) must have access to d4science wiki (https://wiki.d4science.org/).
Updated by Massimiliano Assante over 9 years ago
The plan is to dissmiss old LDAP server asap. moreover we have to dissmiss the use of manage. To do this we have to think how to recreate the ssh key functionality. To addess this I think we can create a custom field in liferay and @massimiliano.assante@isti.cnr.it can modify the LDAP export script to export also that field. @massimiliano.assante@isti.cnr.it can you confirm that this is feasible? If yes I'll open a ticket for that.
It is feasible, however I would not do this ASAP, at least the use of manage as some of the features manage offers (the authorization management page) are very useful, e.g. to add users ssh public keys to VMs almost automatically
Updated by Andrea Dell'Amico over 9 years ago
Luca Frosini wrote:
Thank to the VRE user export functionality is now possible to automatically retrieve the users which can access and edit the WIKIs.
As discussed with @pasquale.pagano@isti.cnr.it
- the gcube wiki (https://wiki.gcube-system.org/) must be writeable only from gCube VRE members (identificated by gCube ldap group).
- the d4science wiki (https://wiki.d4science.org/) must be writeable only from BlueBridgeProject VRE members (identificated by BlueBridgeProject ldap group).
While the gcube-system.org wiki is already linked to both the ldap servers, the d4science.org wiki only authenticates against the old one. Are we sure that we can switch without consequences?
The plan is to dissmiss old LDAP server asap. moreover we have to dissmiss the use of manage. To do this we have to think how to recreate the ssh key functionality. To addess this I think we can create a custom field in liferay and @massimiliano.assante@isti.cnr.it can modify the LDAP export script to export also that field. @massimiliano.assante@isti.cnr.it can you confirm that this is feasible? If yes I'll open a ticket for that.
Mind that the old LDAP server is used to authenticate services that are out of our control: the Openaire production in Poland, for example. And there are a lot of Openaire users (and many ISTI ones) that are present on the old ldap server only. There is no VRE for Openaire, right?
It is feasible, however I would not do this ASAP, at least the use of manage as some of the features manage offers (the authorization management page) are very >useful, e.g. to add users ssh public keys to VMs almost automatically
This part can be automated, and it is already on all the provisioned VMs.
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from New to In Progress
I'm going to make the change tomorrow morning.
Updated by Andrea Dell'Amico over 9 years ago
I've found that to be able to login using the email address and set the correct user's group at the same time is possible only changing the ldap authentication code.
There is also a drowback because, after a logout, the proposed login name will be the username (uid) and not the email address.
Reverting to the username as login authentication there's no need to changing the ldap authentication plugin code.
Let me know which solution we want to choose.
Updated by Andrea Dell'Amico over 9 years ago
I spoke with @luca.frosini@isti.cnr.it and he said to proceed using the email as username. I'll post a diff of the modified ldap auth plugin when done.
Updated by Andrea Dell'Amico over 9 years ago
- % Done changed from 0 to 70
The Gcube wiki is now authenticating against the new ldap server only.
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from In Progress to Feedback
- % Done changed from 70 to 90
The d4science wiki too.
Updated by Andrea Dell'Amico over 9 years ago
Updated by Andrea Dell'Amico over 9 years ago
And here is the modified LdapAuthentication.php
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from Feedback to Closed
